[yocto] [meta-selinux][PATCH 1/3] V2 refpolicy:20140311 update for systemd

Wed, 19 Nov 2014 00:14:58 -0800 

From: Shrikant Bobade <shrikant_bob...@mentor.com>

Systemd init type and related allow rules
updated for refpolicy.

Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
---
 .../refpolicy-update-for_systemd.patch             |   46 ++++++++++++++++++++
 .../refpolicy/refpolicy_2.20140311.inc             |    1 +
 2 files changed, 47 insertions(+)
 create mode 100644 
recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch

diff --git 
a/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
 
b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
new file mode 100644
index 0000000..80b420c
--- /dev/null
+++ 
b/recipes-security/refpolicy/refpolicy-2.20140311/refpolicy-update-for_systemd.patch
@@ -0,0 +1,46 @@
+refpolicy: update for systemd
+ 
+It provides the systemd support for refpolicy 
+and related allow rules. 
+The restorecon provides systemd init labeled 
+as init_exec_t.
+
+Upstream-Status: Pending
+
+
+Signed-off-by: Shrikant Bobade <shrikant_bob...@mentor.com>
+
+--- a/policy/modules/contrib/shutdown.fc
++++ b/policy/modules/contrib/shutdown.fc
+@@ -5,6 +5,9 @@
+ /sbin/shutdown        --      
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ /sbin/shutdown\.sysvinit      --      
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
++# systemd support
++/bin/systemctl        --      
gen_context(system_u:object_r:shutdown_exec_t,s0)
++
+ /usr/lib/upstart/shutdown     --      
gen_context(system_u:object_r:shutdown_exec_t,s0)
+ 
+ /usr/sbin/shutdown    --      
gen_context(system_u:object_r:shutdown_exec_t,s0)
+--- a/policy/modules/system/init.fc
++++ b/policy/modules/system/init.fc
+@@ -31,6 +31,8 @@
+ #
+ /sbin/init(ng)?               --      
gen_context(system_u:object_r:init_exec_t,s0)
+ /sbin/init\.sysvinit  --      gen_context(system_u:object_r:init_exec_t,s0)
++# systemd support
++/lib/systemd/systemd  --      gen_context(system_u:object_r:init_exec_t,s0)
+ # because nowadays, /sbin/init is often a symlink to /sbin/upstart
+ /sbin/upstart         --      gen_context(system_u:object_r:init_exec_t,s0)
+ 
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -913,3 +913,8 @@
+ optional_policy(`
+       zebra_read_config(initrc_t)
+ ')
++
++# systemd related allow rules
++allow kernel_t init_t:process dyntransition;
++allow devpts_t device_t:filesystem associate;
++allow init_t self:capability2 block_suspend;
diff --git a/recipes-security/refpolicy/refpolicy_2.20140311.inc 
b/recipes-security/refpolicy/refpolicy_2.20140311.inc
index 8894583..557b4ab 100644
--- a/recipes-security/refpolicy/refpolicy_2.20140311.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20140311.inc
@@ -29,6 +29,7 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
             file://poky-fc-rpm.patch \
             file://poky-fc-ftpwho-dir.patch \
             file://poky-fc-fix-real-path_su.patch \
+            file://refpolicy-update-for_systemd.patch \
            "
 
 # Specific policy for Poky
-- 
1.7.9.5

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to